UnratedPublic exploit

pedit COW

IdentifiersCVE-2026-46331CWE-787

CVE-2026-46331, nicknamed "pedit COW," is a Linux kernel local privilege escalation vulnerability in the traffic-control subsystem, specifically in net/sched act_pedit. The flaw is in tcf_pedit_act(), which computes the copy-on-write writable range for skb_ensure_writable() only once before iterating over edit keys, using tcfp_off_max_hint. That hint does not account for runtime header offsets introduced by typed keys, so part of the eventual write region may remain outside the privately copied area. As a result, packet-edit operations can perform an out-of-bounds write into shared backing memory, leading to page-cache corruption. The upstream fix moves skb_ensure_writable() into the per-key loop so the actual write offset is known for each edit, adds overflow checks on offset arithmetic, uses skb_cow() for negative offsets affecting headroom, and guards offset_valid() against INT_MIN.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local unprivileged user to escalate privileges to root by corrupting shared page-cache memory. Public reporting indicates the bug can be used to poison the cached in-memory image of a setuid-root binary such as /bin/su without modifying the file on disk, allowing integrity checks on the filesystem to remain clean while the altered cached image is executed with elevated privileges. In addition to privilege escalation, the underlying memory corruption can affect kernel integrity and system stability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exploitability by preventing use of act_pedit and by disabling unprivileged user namespaces where operationally feasible. Blocking or unloading the act_pedit module and restricting access to traffic-control functionality can remove the reachable attack surface. Because exploitation can poison cached in-memory file images without altering files on disk, any host suspected of exploitation should be treated as compromised and rebooted after remediation.

Remediation

Patch, then assume compromise.

Install a kernel release containing the upstream fix for CVE-2026-46331 and reboot into the patched kernel. The fix changes act_pedit/tcf_pedit_act() so writable-range validation is performed per key with the actual resolved offset, adds overflow checking, uses skb_cow() for negative offsets into headroom, and hardens offset validation for INT_MIN. Vendor-specific fixed packages should be applied where available; for example, Debian stable (trixie) addressed the issue in linux 6.12.94-1 or later.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

packet_edit_memeMaturityPoCVerified exploit

Repository contains a standalone local Linux privilege-escalation exploit for CVE-2026-46331 plus a reusable primitive and a verification harness. Structure: (1) pedit_primitive.c/.h implement the core page-cache overwrite primitive by configuring tc/netlink state on the loopback interface and abusing net/sched act_pedit to write beyond a stale COW range into page-cache-backed data sent via sendfile; setup() prepares loopback networking, opens a local TCP listener on 127.0.0.1:4445, and calibrates the file-offset delta using /tmp/.pedit_calib. api_fd_write() exposes the primitive as bounded 4-byte-slot writes to an arbitrary file descriptor, including O_RDONLY descriptors. (2) test_cve.c is a non-privilege-escalation testcase that creates /tmp/cve_target, reopens it read-only, performs 10 overwrite attempts at varying offsets/sizes, and verifies that the page cache changed despite only holding an O_RDONLY fd. (3) packet_edit_meme.c weaponizes the primitive into unprivileged local root: it locates a setuid-root su binary, parses ELF headers to find the executable entry-point file offset, forks a child that unshares user and network namespaces, maps itself to uid/gid 0 inside the namespace, calls setup(), and writes x86_64 shellcode over the cached su entry point. The parent then execves su from the initial namespace, causing the setuid-root binary to execute the injected shellcode and spawn an interactive root /bin/sh. Ubuntu-specific logic optionally re-execs through aa-exec with profiles trinity/chrome/flatpak to bypass AppArmor userns restrictions. Overall, this is a real exploit repository, not just a detector: it provides both a generic arbitrary page-cache overwrite primitive and an operational local root exploit payload.

sgkdevDisclosed Jun 17, 2026cmakefilelocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Rocky LinuxKerneloperating_system

Rocky LinuxKernel-Rtoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

the hacker newsNews

Jun 26, 2026

New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

A local privilege escalation vulnerability in the Linux kernel traffic-control subsystem's act_pedit functionality. It is an out-of-bounds write that can corrupt shared page-cache memory, allowing an unprivileged local user to gain root by poisoning the cached in-memory image of a setuid binary.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-46331

NVD

nvd.nist.gov/vuln/detail/CVE-2026-46331

MITRE CWE · CWE-787

cwe.mitre.org

git.kernel.org

git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a